Choosing the Right Industrial Cybersecurity Framework

It’s no surprise that industrial environments have become increasingly valuable targets for malicious behavior. The State of Security has featured many cybersecurity events in the recent past across a myriad of industrial verticals including but not limited to chemical manufacturing, transportation, powergeneration and petrochemical. Several of these industries mentioned have taken great strides in improving their defense posture, mostly thanks to governmental regulatory compliance requirements.

Most organizations with industrial control systems (ICS) fall into one of two categories: regulated and non-regulated. For those subject to governmentally imposed regulatory requirements, the selection of a cybersecurity framework is obviously compelling. Please continue reading through the remainder of the article. For those who aren’t subject to regulatory requirements, feel free to skip over the next section titled “Regulated Approach” and start back up at “General Approach.”

If you’re not subject to any regulatory requirements, this following section “Regulatory Approach” could still be of interest, especially if 1) your industry is moving in this direction in the near future or 2) you’d like to better understand how your regulated counterparts have been measuring the state of their security posture.

Regulated Approach

I’m not one to praise the government in its efforts to impose requirements on businesses, but in this case, it’s had a rather impressive positive effect. I’m, of course, alluding to North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) and Nuclear Energy Institute (NEI) 08-09 requirements, which have undergone many changes over the past decade to become what they are now.

These specialized requirements have been tailored to for the electric utility and nuclear power generation sectors, respectively. If you’re subject to these very requirements (or several of the other lesser known requirements out there), you know that they can be burdensome but are of course intended to improve the visibility, implement protective controls and establish continuous monitoring.

But what about those environments that are not subject to these regularity requirements?

Consider extending the reach of your internal compliance programs and technology into assets and environments that didn’t meet the thresholds of being subject to regulatory compliance. The time and effort that your organization has put into deploying controls for security and compliance can more often than not be re-deployed and extended into additional areas of the business and industrial process quickly, cost effectively and more easily than the initial deployment while still obtaining meaningful benefits and not having to be subject to audits or dreaded Reliability Standard Audit Worksheets (RSAWs).

Another approach for regulated utilities to consider is attempting to apply another cybersecurity framework to your environments. Getting a different perspective on some of the very same controls you’ve put in place and perhaps discovering inadequacies or lack of coverage in certain areas could be obtained by implementing a second, third or even fourth cybersecurity framework to your environment.

Tripwire Enterprise makes what would initially appear as a daunting task quite easy. Tripwire Enterprise policies can be deployed “side-by-side” within your environment without having to re-check devices (workstations, servers, HMIs, PLCs, RTUs, etc.) with new rules. I will go over some of the widely published and utilized frameworks in the section below, titled “General Approach.”

General Approach

Unfortunately (and yes, fortunately also) for most industrial verticals, there is no mandatory framework of hardening guidelines that have been built and refined for your use case. So, where do you start?

First, make sure that a framework for your industry doesn’t already exist. Google is your friend, and here are some common ones:

If your search came up short, there are some fantastic industrial cybersecurity frameworks available to you that are generic in nature. At this stage of your cyber security lifecycle, don’t be overwhelmed on trying to decide which standard to adopt or follow. The most important decision is to adopt one. Doing nothing can have major consequences, and just getting started is sometimes the hardest part.

Here’s a chart to help you navigate some of the frameworks at your disposal:

Applying the controls suggested by each of these respective frameworks can be an overwhelming task if you’re starting from nothing, but don’t let that discourage you. Tripwire has some fantastic tools in its portfolio that can assist with the implementation.

Take a look at Tripwire’s ICS Security Suite as a great starting point. Whether the journey to secure your Industrial Control System has just begun or you’re a seasoned pro, choosing the correct Industrial Cybersecurity Framework can be a daunting task. Although you may not fit directly within one of the scenarios I played out, I hope I have provided you with some insight on some of the more prominent frameworks available today.

Also, you can join me on November 8 as I explore the various cybersecurity frameworks for ICS like NERC CIP, AWWA, IEC-62443, and NIST-800-82 and their applicability in various industrial environments.

Key takeaways from this session will include:

An introduction to various cybersecurity frameworks

Guidance on selecting which cybersecurity framework is a good fit for your plant’s networks